[go: up one dir, main page]

CN100450012C - A mobile agent-based intrusion detection system and method - Google Patents

A mobile agent-based intrusion detection system and method Download PDF

Info

Publication number
CN100450012C
CN100450012C CNB2005100277814A CN200510027781A CN100450012C CN 100450012 C CN100450012 C CN 100450012C CN B2005100277814 A CNB2005100277814 A CN B2005100277814A CN 200510027781 A CN200510027781 A CN 200510027781A CN 100450012 C CN100450012 C CN 100450012C
Authority
CN
China
Prior art keywords
network
host
voting
hosts
event
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CNB2005100277814A
Other languages
Chinese (zh)
Other versions
CN1719780A (en
Inventor
郑记
王新
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Fudan University
Original Assignee
Fudan University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fudan University filed Critical Fudan University
Priority to CNB2005100277814A priority Critical patent/CN100450012C/en
Publication of CN1719780A publication Critical patent/CN1719780A/en
Application granted granted Critical
Publication of CN100450012C publication Critical patent/CN100450012C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

本发明属于网络安全技术领域,具体是一种基于移动代理的入侵检测系统和方法。检测系统由监视器、执行器、控制器、协调器、投票代理、结果代理和响应代理组成,记为PIDS。在网络中运行PIDS系统的主机发现可疑行为的时候发起投票过程,网络中多个对等的主机投票共同决定该事件是否为恶意行为,如果认定为恶意行为则通知网络中所有主机采取适当措施避免损失或者危害发生。本发明的特点是:反应迅速,网络中一台主机发现病毒则立即通知其他主机,避免文件被破坏或者资料被窃取等损失;网络负载很小,同时可以解决分布式入侵问题;时延和网络负载随着网络规模的增大变化比较小,适合于大规模网络。The invention belongs to the technical field of network security, in particular to a mobile agent-based intrusion detection system and method. The detection system consists of monitors, executors, controllers, coordinators, voting agents, result agents and response agents, denoted as PIDS. When a host running the PIDS system in the network finds suspicious behavior, it initiates a voting process. Multiple peer hosts in the network vote together to decide whether the event is a malicious behavior. If it is determined to be a malicious behavior, it will notify all hosts in the network to take appropriate measures to avoid it loss or harm occurs. The characteristics of the present invention are: fast response, one host in the network will immediately notify other hosts if a virus is found, avoiding losses such as file damage or data theft; The load changes little with the increase of network scale, which is suitable for large-scale network.

Description

一种基于移动代理的入侵检测系统和方法 A mobile agent-based intrusion detection system and method

技术领域 technical field

本发明属于网络安全技术领域,具体涉及一种具有自学习能力的对等的入侵检测系统和方法。The invention belongs to the technical field of network security, and in particular relates to a peer-to-peer intrusion detection system and method with self-learning ability.

背景技术 Background technique

目前,随着Internet的发展网络信息飞速膨胀,人们越来越依赖于网络,但是网络也给病毒的传播创造了便利条件。病毒的传播速度和危害程度都大大增加,而且病毒的检测也更加困难。如何有效的保护重要的信息资源不被偷窃和破坏成为一个重大问题。理想的方法是预防病毒的感染和黑客入侵,及时升级系统。杀毒软件和防火墙技术都不能很好的解决这个问题,杀毒软件只能检测文件是否感染并修复被破坏的文件,而防火墙只能预防端口连接,不能区别合法的连接和非法入侵。传统的入侵检测系统采用C/S结构,服务器负载大,而且服务器容易成为攻击对象,一旦服务器遭到破坏,整个系统瘫痪。我们提出的基于移动代理技术的对等的入侵检测系统和方法可以比较好地解决这些问题。At present, with the rapid expansion of network information with the development of the Internet, people are increasingly dependent on the network, but the network also creates convenient conditions for the spread of viruses. The speed of transmission and the degree of harm of the virus have greatly increased, and the detection of the virus has become more difficult. How to effectively protect important information resources from being stolen and destroyed has become a major problem. The ideal method is to prevent virus infection and hacker intrusion, and upgrade the system in time. Anti-virus software and firewall technology cannot solve this problem well. Anti-virus software can only detect whether files are infected and repair damaged files, while firewalls can only prevent port connections, and cannot distinguish between legitimate connections and illegal intrusions. The traditional intrusion detection system adopts C/S structure, the server load is heavy, and the server is easy to become the target of attack. Once the server is damaged, the whole system will be paralyzed. Our peer-to-peer intrusion detection system and method based on mobile agent technology can solve these problems well.

发明内容 Contents of the invention

本发明的目的在于提出一种能主动发现病毒感染和网络入侵的检测系统和方法,以便通知网络中其他主机及时采取措施避免资料被破坏或者被窃取。The purpose of the present invention is to propose a detection system and method that can actively discover virus infection and network intrusion, so as to notify other hosts in the network to take timely measures to prevent data from being destroyed or stolen.

本发明提出的能主动发现病毒和网络入侵的检测系统,由监视器、执行器、控制器、协调器、投票代理、结果代理和响应代理组成,它是一种基于移动代理技术的对等的入侵检测系统,简记为PIDS系统。监视器、执行器、控制器、协调器、投票代理、结果代理和响应代理都是基于移动代理技术实现的程序组件,其中监视器、执行器、控制器和协调器是静态的,投票代理、结果代理和响应代理是动态的,可以在网络中迁移。移动代理是模拟人类行为和关系、具有一定智能并能够在同构或异构网络主机之间自主迁移和提供相应服务的程序。该系统的各部分分别介绍如下:The detection system that can actively discover viruses and network intrusion proposed by the present invention is composed of a monitor, an actuator, a controller, a coordinator, a voting agent, a result agent and a response agent, and it is a peer-to-peer system based on mobile agent technology. Intrusion Detection System, abbreviated as PIDS system. Monitors, executors, controllers, coordinators, voting agents, result agents and response agents are all program components based on mobile agent technology, where monitors, executors, controllers and coordinators are static, voting agents, Result Agents and Response Agents are dynamic and can migrate across the network. A mobile agent is a program that simulates human behavior and relationships, has certain intelligence, and can migrate autonomously between homogeneous or heterogeneous network hosts and provide corresponding services. Each part of the system is described as follows:

(1)监视器,是系统的基本单元,主要负责检测本机上发生的安全事件。系统中有多种监视器,每种监视器负责一种安全事件,包括监视系统日志、文件变化、端口连接、系统登录、查找病毒特征码等,监视器发现安全事件发生后立即收集事件的特征信息并向控制器报告。(1) Monitor, the basic unit of the system, is mainly responsible for detecting security events that occur on the machine. There are many kinds of monitors in the system, and each monitor is responsible for a security event, including monitoring system logs, file changes, port connections, system logins, virus signatures, etc., and collects the characteristics of the event immediately after the monitor finds that a security event occurs information and report to the controller.

(2)执行器,也是系统的基本单元,主要负责执行控制器委派处理的安全事件相关的任务。同样地,每种执行器负责一种任务,包括清除病毒、修复文件、拒绝连接、断开网络等。与监视器类似,执行器也可以动态的增加和升级,以适应病毒和入侵不断变化的需要。(2) The executor is also the basic unit of the system, and is mainly responsible for executing tasks related to security events delegated by the controller. Likewise, each type of executor is responsible for a task, including cleaning viruses, repairing files, rejecting connections, disconnecting from the network, and so on. Similar to monitors, actuators can also be dynamically added and upgraded to adapt to the ever-changing needs of viruses and intrusions.

(3)控制器,是中间层,介于监视器、执行器和协调器之间。控制器负责分析由监视器报告的安全事件信息,根据本地的安全知识库来分析此事件。控制器如果可以识别所述监视器报告的安全事件信息,则直接向执行器发送命令,执行器根据控制器的命令来执行处理程序。否则控制器从安全报告中抽取事件的关键信息向协调器报告,请求发起投票过程,由多个网络中的主机共同监视此类事件以便做出判断,由此采取进一步的行动。(3) The controller is the middle layer, between the monitor, the actuator and the coordinator. The controller is responsible for analyzing the security event information reported by the monitor, and analyzes the event according to the local security knowledge base. If the controller can identify the security event information reported by the monitor, it will directly send a command to the executor, and the executor will execute the processing program according to the command of the controller. Otherwise, the controller extracts the key information of the event from the security report and reports it to the coordinator, requesting to initiate a voting process, and the hosts in multiple networks jointly monitor such events to make judgments and take further actions.

(4)协调器,是系统的协调员,收到控制器的请求后负责发起投票过程,请求网络中其它的主机共同投票决定安全事件是否属于恶意行为。若是,则通知所有主机采取必要措施避免病毒感染或者网络入侵。(4) The coordinator is the coordinator of the system. After receiving the request from the controller, it is responsible for initiating the voting process, requesting other hosts in the network to vote together to determine whether the security event is a malicious act. If so, notify all hosts to take necessary measures to avoid virus infection or network intrusion.

(5)投票代理,是动态的移动代理。发起投票的主机的协调器通过发送投票代理到网络中的其他主机来实现多个主机协同决策,投票代理携带安全事件的特征、源地址以及投票事件限制等相关信息,网络中的主机根据本机的情况就该安全事件进行投票,协调器统计投票结果并做出最后决策。(5) Voting proxy is a dynamic mobile proxy. The coordinator of the host that initiated the voting realizes the collaborative decision-making of multiple hosts by sending the voting proxy to other hosts in the network. The voting proxy carries relevant information such as the characteristics of security events, source addresses, and voting event restrictions. The situation of the security event is voted on, and the coordinator counts the voting results and makes a final decision.

(6)结果代理,是用于携带各个主机投票结果的移动代理。各个主机填写结果代理中选票后,发送结果代理到发起投票的主机的协调器,由于安全方面的原因,投票结果是经过加密处理的。(6) The result agent is a mobile agent used to carry the voting results of each host. After each host fills in the votes in the result proxy, it sends the result proxy to the coordinator of the host that initiated the vote. Due to security reasons, the voting results are encrypted.

(7)响应代理,是通知网络中所有的主机最终投票结果的移动代理。发起投票的主机的协调器统计投票结果,如果有效投票超过半数则认为是恶意行为,并通知所有主机做好应对准备。(7) The response agent is a mobile agent that notifies all hosts in the network of the final voting result. The coordinator of the host that initiates the vote counts the voting results. If more than half of the valid votes are cast, it is considered a malicious act and notifies all hosts to prepare for it.

本发明提出的基于移动代理的入侵检测方法,首先要求所有主机加入一个多播组,组内的所有主机构成一个对等网络。PIDS系统位于网络中的每个主机中,该系统根据本机上的知识库来识别病毒感染和网络入侵,然后清除病毒,抵制入侵;如果一个主机发现可疑的事件(可能是新的病毒或者新的入侵方式),则该主机在网络内发起一个投票过程,并由多个主机共同判断此事件是否属于恶意行为;投票过程的具体步骤为:发现可疑事件的主机先提取可疑事件相关信息,随机地在组内选择一定数量的主机制定一个迁移路线图,然后发送携带可疑事件信息的移动代理。移动代理根据路线图迁移到选择的各个主机,选择的每个主机密切监视此类事件是否在本机发生,以及发生的频率,并在一定的时间内做出判断,判断的步骤如下:PIDS系统为每一个可疑事件设定一个安全系数,此系数根据事件发生频率而动态变化,如果安全系数超过阀值则认为是恶意行为,PIDS根据事件在某一时间段内的安全系数的变化进行投票,然后选择的每个主机发送一个携带投票结果的代理到发起投票的主机。发起投票的主机统计投票结果,若票数超过半数,则认为是恶意行为;如认定为恶意行为,则通知网络内所有的主机采取适当的安全措施。The mobile agent-based intrusion detection method proposed by the present invention first requires all hosts to join a multicast group, and all hosts in the group form a peer-to-peer network. The PIDS system is located in each host in the network, and the system identifies virus infection and network intrusion according to the knowledge base on the machine, and then clears the virus to resist the intrusion; if a host finds suspicious events (may be new viruses or new Intrusion method), the host initiates a voting process in the network, and multiple hosts jointly judge whether the event is a malicious act; the specific steps of the voting process are: the host that discovers the suspicious event first extracts the relevant information of the suspicious event, randomly Select a certain number of hosts in the group to formulate a migration roadmap, and then send mobile agents carrying suspicious event information. The mobile agent migrates to each selected host according to the roadmap, and each selected host closely monitors whether such events occur locally, and the frequency of occurrence, and makes a judgment within a certain period of time. The judgment steps are as follows: PIDS system Set a safety factor for each suspicious event. This factor changes dynamically according to the frequency of the event. If the safety factor exceeds the threshold, it is considered malicious behavior. PIDS votes according to the change of the safety factor of the event within a certain period of time. Each host chosen then sends a proxy carrying the vote result to the host that initiated the vote. The host that initiates the vote counts the voting results. If the number of votes exceeds half, it is considered a malicious behavior; if it is determined to be a malicious behavior, all hosts in the network will be notified to take appropriate security measures.

本发明中,所有主机加入一个多播组,新加入主机通过组播消息通知其他主机,收到此消息的主机做出应答,由此声明自己的存在并发现组内的所有主机。In the present invention, all hosts join a multicast group, and the newly joined host notifies other hosts through a multicast message, and the host receiving the message responds, thereby declaring its own existence and discovering all hosts in the group.

本发明的特点是:反应迅速,网络中一台主机发现病毒则立即通知其他主机,避免文件被破坏或者资料被窃取等损失;只有发现可疑行为的时候才发起投票过程,所以网络负载很小,同时可以解决分布式入侵问题;时延和网络负载随着网络规模的增大变化比较小,适合于大规模网络。The characteristics of the present invention are: fast response, one host in the network will immediately notify other hosts if a virus is discovered, avoiding losses such as file damage or data theft; only when suspicious behavior is found, the voting process is initiated, so the network load is very small, At the same time, it can solve the problem of distributed intrusion; the delay and network load change relatively little with the increase of network scale, which is suitable for large-scale networks.

附图说明 Description of drawings

图1为PIDS工作原理图。Figure 1 is a schematic diagram of the working principle of PIDS.

图2为PIDS工作流程图。Figure 2 is a flow chart of PIDS work.

图3为局域网自主杀毒系统工作原理。Figure 3 shows the working principle of the local area network autonomous antivirus system.

图中标号:1为监视器,2为执行器,3为控制器,4为协调器,5为投票代理,6为结果代理,7为响应代理。Numbers in the figure: 1 is the monitor, 2 is the executor, 3 is the controller, 4 is the coordinator, 5 is the voting agent, 6 is the result agent, and 7 is the response agent.

具体实施方式 Detailed ways

本发明中,监视器、执行器、控制器、协调器、投票代理、结果代理和响应代理等组件相互关联,相互依赖,构成一个具有层次性的完整的系统。监视器1和执行器2是PIDS系统最基本的单元,监视器用来监视节点上的各种活动,捕获异常事件,执行器是执行清除病毒、修复文件、断开网络连接等操作的组件,监视器和执行器都是控制器下最底层的单元。In the present invention, components such as monitor, executor, controller, coordinator, voting proxy, result proxy and response proxy are interrelated and interdependent to form a hierarchical and complete system. The monitor 1 and the executor 2 are the most basic units of the PIDS system. The monitor is used to monitor various activities on the node and capture abnormal events. The executor is a component that performs operations such as cleaning viruses, repairing files, and disconnecting network connections. Both the actuator and the actuator are the lowest-level units under the controller.

如附图1,如果A主机中的控制器3向协调器4报告有可疑事件发生,则协调器4在网络中随机选择一定数量的主机(比如B、C)制定一个路线图,然后向网络中发送一个携带该可疑事件信息的投票代理5,投票代理5根据路线图在网络中迁移,通知其他主机(B、C)监视本机上此类事件的活动情况,根据该事件的活动频率动态更新事件的安全系数,当该安全系数超越阀值的时候,就认定该事件是恶意行为。安全系数并不是随着事件发生频率等比变化的,而是随着事件发生频率的增加增长越来越快,由此系统更及时迅速地做出响应。比如某个事件的安全系数动态变化为{1/10,1/8,1/6,1/4,1/2,1},一定时间内第一次发生此类事件时,安全系数为1/10,第二次就变为1/8,第三次为1/6,第四次为1/4,第五次变为1/2,第六次变为1超过安全系统阀值,恶意行为确认。当然事件发生的频率逐渐递减,安全系数则随之递减,而且最初递减较快,随后递减的幅度越来越小。在一定的时间范围内(时间范围由投票代理的要求决定),其他主机(B、C)向A主机发送携带投票信息的结果代理6,发起投票的主机A统计投票结果,若超过有效票数的半数则认定为恶意行为,并向网络中发送响应代理7通知所有主机采取适当行动。As shown in Figure 1, if the controller 3 in the A host reports suspicious events to the coordinator 4, the coordinator 4 randomly selects a certain number of hosts (such as B and C) in the network to formulate a roadmap, and then sends the network Send a voting agent 5 carrying the suspicious event information, the voting agent 5 migrates in the network according to the roadmap, and notifies other hosts (B, C) to monitor the activities of such events on the machine, and dynamically according to the activity frequency of the event Update the safety factor of the event, and when the safety factor exceeds the threshold, the event is determined to be malicious. The safety factor does not change proportionally with the frequency of events, but increases faster and faster as the frequency of events increases, so that the system responds more promptly and quickly. For example, the safety factor of an event dynamically changes to {1/10, 1/8, 1/6, 1/4, 1/2, 1}, and when such an event occurs for the first time within a certain period of time, the safety factor is 1 /10, it becomes 1/8 for the second time, 1/6 for the third time, 1/4 for the fourth time, 1/2 for the fifth time, 1 for the sixth time to exceed the safety system threshold, Confirmation of Malicious Behavior. Of course, the frequency of incidents gradually decreases, and the safety factor decreases accordingly, and the initial decrease is faster, and then the decreasing range becomes smaller and smaller. Within a certain time range (the time range is determined by the requirements of the voting agent), other hosts (B, C) send the result agent 6 carrying voting information to host A, and the host A that initiates the vote counts the voting results. Half of them are identified as malicious behavior, and a response agent 7 is sent to the network to notify all hosts to take appropriate action.

基于移动代理的入侵检测方法,我们设计一个“局域网自主杀毒系统”。在此案例中(如附图3),多台主机(S,A,B,C,D)构成一个简单的局域网,每台主机上安装都安装有一套“局域网自主杀毒系统”软件,该软件采用如图1的基本架构。下面以该系统对变种红色代码病毒的自主检测过程来介绍其工作机制:Based on the mobile agent intrusion detection method, we design a "LAN autonomous antivirus system". In this case (as shown in Figure 3), multiple hosts (S, A, B, C, D) form a simple local area network, and each host is equipped with a set of "autonomous antivirus system for local area network" software. The basic structure shown in Figure 1 is adopted. The following uses the system's autonomous detection process for the variant code red virus to introduce its working mechanism:

(1)主机S上的系统“红色代码病毒监视器”检测到有类似于红色代码病毒的特征码信息的可疑事件,监视器收集可疑病毒的特征信息并转发给本系统上层的控制器,控制器根据本机上的知识库无法确认,于是对收集的信息进行简单抽取加工后再转发给协调器,协调器立即向网络中的A、B、C、D主机发送“投票代理”请求协助,由此发起投票过程。(1) The system "Code Red Virus Monitor" on the host S detects suspicious events with characteristic code information similar to the Code Red virus, and the monitor collects the characteristic information of the suspicious virus and forwards it to the upper-layer controller of the system for control The server cannot confirm it according to the knowledge base on the machine, so it simply extracts and processes the collected information and then forwards it to the coordinator, and the coordinator immediately sends a "voting agent" request for assistance to hosts A, B, C, and D in the network. This initiates the voting process.

(2)收到“投票代理”的系统A、B、C、D监控本机上此类事件的活动情况,在一定的时间内(投票时间由发起投票过程的系统在投票代理中设定)对该事件的安全性进行投票。系统为此可疑事件设定的初始安全系数为{1/10/1,1/8/2,1/6/3,1/4/4,1/2/5,1/1/6},也就是在一定时间内(这里是一分钟)可疑事件发生1次,安全系数为1/10,两次为1/8,当发生六次时,安全系数变为1,也就是门槛值,这时系统投确认票。投票信息包含在结果代理中,结果代理传给可疑事件源主机。(2) The systems A, B, C, and D that received the "voting proxy" monitor the activities of such events on the machine, within a certain period of time (the voting time is set in the voting proxy by the system that initiates the voting process) Vote on the safety of the event. The initial safety factor set by the system for this suspicious event is {1/10/1, 1/8/2, 1/6/3, 1/4/4, 1/2/5, 1/1/6}, That is, within a certain period of time (here, one minute), the suspicious event occurs once, and the safety factor is 1/10, and twice is 1/8. When it occurs six times, the safety factor becomes 1, which is the threshold value. The system votes for confirmation. Voting information is included in the result agent, which is passed to the suspicious event source host.

(3)源主机系统统计投票结果,如果超过有效投票的半数则认定为恶意行为,发送响应代理通知网络中的每个主机采取相应的安全措施。另外,每个主机都可以通知并向其他主机发送系统升级补丁,以最快的速度完成系统升级,避免病毒感染整个网络。(4)测试表明系统的病毒检出率在98%以上,与传统的系统相比具有智能性、反应快速、网络负载小以及适合大规模网络等优点。(3) The source host system counts the voting results. If it exceeds half of the valid votes, it will be deemed as a malicious behavior, and the response agent will be sent to notify each host in the network to take corresponding security measures. In addition, each host can notify and send system upgrade patches to other hosts to complete the system upgrade at the fastest speed and prevent viruses from infecting the entire network. (4) The test shows that the virus detection rate of the system is above 98%. Compared with the traditional system, it has the advantages of intelligence, fast response, small network load and suitable for large-scale networks.

Claims (2)

1、一种基于移动代理的入侵检测系统,记为PIDS系统,该系统位于网络中的每个主机中,其特征在于由程序组件监视器、执行器、控制器、协调器、投票代理、结果代理和响应代理组成,其中监视器、执行器、控制器和协调器是静态的,投票代理、结果代理和响应代理是动态的,可以在网络中迁移,具体内容如下:1, a kind of intrusion detection system based on mobile agent, be recorded as PIDS system, this system is located in each host computer in the network, it is characterized in that by program component monitor, executor, controller, coordinator, voting agent, result Composed of agents and response agents, the monitor, executor, controller and coordinator are static, while the voting agent, result agent and response agent are dynamic and can be migrated in the network. The details are as follows: (1)监视器,是系统的基本单元,主要负责检测本机上发生的安全事件,系统中有多种监视器,每种监视器负责一种安全事件,包括监视系统日志、文件变化、端口连接、系统登录、查找病毒特征码,监视器发现安全事件发生后立即收集事件的特征信息并向控制器报告;(1) Monitor, the basic unit of the system, is mainly responsible for detecting security events that occur on the machine. There are multiple monitors in the system, and each monitor is responsible for a security event, including monitoring system logs, file changes, ports Connection, system login, search for virus signatures, monitor collects event signature information immediately after a security event occurs and reports to the controller; (2)执行器,也是系统的基本单元,主要负责执行控制器委派处理的安全事件相关的任务;每种执行器负责一种任务,包括清除病毒、修复文件、拒绝连接、断开网络;执行器也可以动态的增加和升级,以适应病毒和入侵不断变化的需要;(2) The executor, which is also the basic unit of the system, is mainly responsible for performing tasks related to security events delegated by the controller; each executor is responsible for a task, including virus removal, file repair, connection rejection, and network disconnection; execution Servers can also be dynamically added and upgraded to adapt to the ever-changing needs of viruses and intrusions; (3)控制器,是中间层,介于监视器、执行器和协调器之间;控制器负责分析由监视器报告的安全事件信息,根据本地的安全知识库来分析此事件;控制器如果可以识别所述由监视器报告的安全事件信息,则直接向执行器发送命令,执行器根据控制器的命令来执行处理程序;否则控制器从安全事件信息报告中抽取事件的关键信息向协调器报告,请求发起投票过程,由多个网中的主机共同监视此类事件以便做出判断,由此采取进一步的行动;(3) The controller is the middle layer, between the monitor, the executor and the coordinator; the controller is responsible for analyzing the security event information reported by the monitor, and analyzing the event according to the local security knowledge base; if the controller If the security event information reported by the monitor can be identified, the command is sent directly to the executor, and the executor executes the processing program according to the command of the controller; otherwise, the controller extracts the key information of the event from the security event information report to the coordinator Report, request to initiate a voting process, and hosts in multiple networks jointly monitor such events to make judgments and take further actions; (4)协调器,是系统的协调员,收到控制器的请求后负责发起投票过程,请求网络中其它的主机共同投票决定安全事件是否属于恶意行为;若是,则通知所有主机采取必要措施避免病毒感染或者网络入侵;(4) The coordinator is the coordinator of the system. After receiving the request from the controller, it is responsible for initiating the voting process, requesting other hosts in the network to vote together to determine whether the security event is a malicious act; if so, notify all hosts to take necessary measures to avoid virus infection or network intrusion; (5)投票代理,是动态的移动代理,发起投票的主机的协调器通过发送投票代理到网络中的其他主机来实现多个主机协同决策,投票代理携带安全事件的特征、源地址以及投票事件限制信息,网络中的主机根据本机的情况就该安全事件进行投票,发起投票的主机的协调器统计投票结果并做出最后决策;(5) Voting agent is a dynamic mobile agent. The coordinator of the host that initiates the voting realizes the collaborative decision-making of multiple hosts by sending the voting agent to other hosts in the network. The voting agent carries the characteristics, source address and voting event of the security event To restrict information, the hosts in the network vote on the security event according to the situation of the host, and the coordinator of the host that initiates the vote counts the voting results and makes a final decision; (6)结果代理,是用于携带各个主机投票结果的移动代理,各个主机填写结果代理中选票后,发送结果代理到发起投票的主机的协调器;(6) The result agent is a mobile agent used to carry the voting results of each host. After each host fills in the vote in the result agent, it sends the result agent to the coordinator of the host that initiated the vote; (7)响应代理,是通知网络中所有的主机最终投票结果的移动代理,发起投票的主机的协调器统计投票结果,如果有效投票超过半数则认为是恶意行为,并通知所有主机做好应对准备。(7) The response agent is a mobile agent that notifies all hosts in the network of the final voting results. The coordinator of the host that initiates the vote counts the voting results. If more than half of the valid votes are cast, it is considered a malicious act and notifies all hosts to prepare for it. . 2、一种基于移动代理的入侵检测方法,其特征在于首先要求所有主机加入一个多播组,组内的所有主机构成一个对等网络;基于移动代理的入侵检测系统位于网络中的每个主机中,该检测系统根据本机上的知识库来识别病毒感染和网络入侵,然后清除病毒,抵制入侵;如果一个主机发现可疑的事件,并且根据本机上的知识库无法确认该可疑事件,则该发现可疑事件主机在网络内发起一个投票过程,并由多个主机共同判断此事件是否属于恶意行为;投票过程的具体步骤为:发现可疑事件的主机先提取可疑事件相关信息,并随机地在组内选择一定数量的主机制定一个迁移路线图,然后发送携带可疑事件信息的移动代理;移动代理根据路线图迁移到选择的各个主机,选择的每个主机密切监视此类事件是否在本机发生,以及发生的频率,并在一定的时间内做出判断,判断的步骤如下:基于移动代理的入侵检测系统为每一个可疑事件设定一个安全系数,此系数根据事件发生频率而动态变化,如果安全系数超过阀值则认为是恶意行为,基于移动代理的入侵检测系统根据事件在某一时间段内的安全系数的变化进行投票,然后选择的每个主机,发送一个携带投票结果的代理到发起投票的主机;发起投票的主机统计投票结果,若票数超过半数,则认为是恶意行为;如认定为恶意行为,则通知网络内所有的主机采取适当的安全措施。2. A mobile agent-based intrusion detection method is characterized in that at first all hosts are required to join a multicast group, and all hosts in the group form a peer-to-peer network; the mobile agent-based intrusion detection system is located in each host in the network In , the detection system identifies virus infection and network intrusion according to the knowledge base on the local machine, and then removes the virus to resist the intrusion; if a host finds a suspicious event and cannot confirm the suspicious event according to the knowledge base on the local machine, then The host that discovers the suspicious event initiates a voting process in the network, and multiple hosts jointly judge whether the event is a malicious act; the specific steps of the voting process are: the host that discovers the suspicious event first extracts the relevant information of the suspicious event, and randomly Select a certain number of hosts in the group to formulate a migration roadmap, and then send the mobile agent carrying suspicious event information; the mobile agent migrates to each selected host according to the roadmap, and each selected host closely monitors whether such events occur on this machine , and the frequency of occurrence, and make a judgment within a certain period of time. The judgment steps are as follows: the mobile agent-based intrusion detection system sets a safety factor for each suspicious event, and this coefficient changes dynamically according to the frequency of the event. If If the safety factor exceeds the threshold, it is considered malicious behavior. The mobile agent-based intrusion detection system votes according to the change of the safety factor of the event within a certain period of time, and then each selected host sends an agent carrying the voting result to the initiating The host that votes; the host that initiates the vote counts the voting results. If the number of votes exceeds half, it is considered a malicious behavior; if it is determined to be a malicious behavior, all hosts in the network will be notified to take appropriate security measures.
CNB2005100277814A 2005-07-15 2005-07-15 A mobile agent-based intrusion detection system and method Expired - Fee Related CN100450012C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2005100277814A CN100450012C (en) 2005-07-15 2005-07-15 A mobile agent-based intrusion detection system and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2005100277814A CN100450012C (en) 2005-07-15 2005-07-15 A mobile agent-based intrusion detection system and method

Publications (2)

Publication Number Publication Date
CN1719780A CN1719780A (en) 2006-01-11
CN100450012C true CN100450012C (en) 2009-01-07

Family

ID=35931512

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005100277814A Expired - Fee Related CN100450012C (en) 2005-07-15 2005-07-15 A mobile agent-based intrusion detection system and method

Country Status (1)

Country Link
CN (1) CN100450012C (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4774347B2 (en) * 2006-08-18 2011-09-14 富士通株式会社 Node device, control device, control method, and control program
CN101231682B (en) * 2007-01-26 2011-01-26 李贵林 Computer information safe method
DE602008004491D1 (en) * 2008-07-04 2011-02-24 Alcatel Lucent Method and system for a communication network against intruders
CN101685483B (en) * 2008-09-22 2011-07-20 成都市华为赛门铁克科技有限公司 Method and device for extracting virus feature code
CN101674324B (en) * 2009-09-23 2012-05-23 南京邮电大学 Multiple-mobile-agent credible interaction method for information acquisition system in open network
US9813423B2 (en) 2013-02-26 2017-11-07 International Business Machines Corporation Trust-based computing resource authorization in a networked computing environment
JP6977507B2 (en) * 2017-11-24 2021-12-08 オムロン株式会社 Controls and control systems
CN109729084B (en) * 2018-12-28 2021-07-16 福建工程学院 A network security event detection method based on blockchain technology

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1384639A (en) * 2002-06-11 2002-12-11 华中科技大学 Distributed dynamic network security protecting system
CN1472916A (en) * 2003-06-24 2004-02-04 北京邮电大学 Data Fusion Mechanism of Large-Scale Distributed Intrusion Detection System
JP2005130399A (en) * 2003-10-27 2005-05-19 Nippon Telegr & Teleph Corp <Ntt> Intrusion detection system, intrusion detection method, and recording medium
CN1625121A (en) * 2003-12-05 2005-06-08 中国科学技术大学 A Layered Cooperative Network Virus and Malicious Code Identification Method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1384639A (en) * 2002-06-11 2002-12-11 华中科技大学 Distributed dynamic network security protecting system
CN1472916A (en) * 2003-06-24 2004-02-04 北京邮电大学 Data Fusion Mechanism of Large-Scale Distributed Intrusion Detection System
JP2005130399A (en) * 2003-10-27 2005-05-19 Nippon Telegr & Teleph Corp <Ntt> Intrusion detection system, intrusion detection method, and recording medium
CN1625121A (en) * 2003-12-05 2005-06-08 中国科学技术大学 A Layered Cooperative Network Virus and Malicious Code Identification Method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于多决策树算法的网络入侵检测. 史长琼,易昂.计算机工程与设计,第25卷第4期. 2004
基于多决策树算法的网络入侵检测. 史长琼,易昂.计算机工程与设计,第25卷第4期. 2004 *

Also Published As

Publication number Publication date
CN1719780A (en) 2006-01-11

Similar Documents

Publication Publication Date Title
Bhushan et al. Security challenges in cloud computing: state-of-art
CN104753936B (en) OPC security gateway systems
CN101827104B (en) Multi anti-virus engine-based network virus joint defense method
CN116055254B (en) Safe and trusted gateway system, control method, medium, equipment and terminal
CN107257332B (en) Timing Management in Large Firewall Clusters
CN110636086B (en) Network protection testing method and device
CN110830287B (en) Internet of things environment situation sensing method based on supervised learning
CN101771702A (en) Method and system for defending distributed denial of service attack in point-to-point network
CN111786986B (en) Numerical control system network intrusion prevention system and method
CN112115457B (en) Power terminal access method and system
WO2014193378A1 (en) Disabling and initiating nodes based on security issue
CN117201147A (en) A method of identifying and handling terminal threats based on the zero-trust model
CN100450012C (en) A mobile agent-based intrusion detection system and method
CN115189957A (en) Access control engine capable of being loaded actively by industrial control system
Pavlenko et al. Ensuring the sustainability of cyberphysical systems based on dynamic reconfiguration
Santangelo et al. Analysis, prevention and detection of ransomware attacks on Industrial Control Systems
Hwa et al. Review of peer-to-peer botnets and detection mechanisms
Yu et al. Peer-to-peer system-based active worm attacks: Modeling, analysis and defense
CN116702133A (en) Alarm information noise reduction strategy determination method and device and storage medium
CN115865517A (en) Attack detection method and system for big data application
Huang et al. Detecting and blocking P2P botnets through contact tracing chains
Thang et al. EVHS-Elastic Virtual Honeypot System for SDNFV-Based Networks
CN113285836A (en) System and method for enhancing toughness of software system based on micro-service real-time migration
Keerthan Kumar et al. Performance evaluation of packet injection and DOS attack controller software (PDACS) module
JP2008165601A (en) COMMUNICATION MONITORING SYSTEM, COMMUNICATION MONITORING DEVICE, AND COMMUNICATION CONTROL DEVICE

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20090107

Termination date: 20110715